GHSA-253q-9q78-63x4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-253q-9q78-63x4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-253q-9q78-63x4/GHSA-253q-9q78-63x4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-253q-9q78-63x4
- Aliases
- Published
- 2026-01-28T16:21:03Z
- Modified
- 2026-01-28T16:33:26.927216Z
- Severity
-
- 8.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Clatter has a PSK Validity Rule Violation issue
- Details
-
Impact
Protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse.
Affected default patterns include
noise_pqkk_psk0,noise_pqkn_psk0,noise_pqnk_psk0,noise_pqnn_psk0, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties.Patches
The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns.
Workarounds
Avoid using offending
*_psk0variants of post-quantum patterns. Review custom handshake patterns carefully.Resources
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2026-01-28T00:15:50Z", "cwe_ids": [ "CWE-327" ], "github_reviewed_at": "2026-01-28T16:21:03Z", "severity": "HIGH" }- References
Affected packages
crates.io / clatter
Package
- Name
- clatter
- View open source insights on deps.dev
- Purl
- pkg:cargo/clatter